Advanced Persistent Threat

Advanced Persistent Threats (APTs) are a growing concern in the security industry and are aggressive in nature. It uses multiple phases and advanced techniques to break into a network, avoid detection, and harvest valuable information over the long term. APTs targets specific target for extremely high value data in specific organization and are different from other types of hacking activities. These threats can steal organization's assets for monetary gain or for political cause. It can also disrupt core infrastructure in an organization.

A custom designed APT malware can exploit zero-day vulnerabilities and can evade traditional defenses. This can then be combined with physical theft and clever social engineering in targeted “phishing” attacks. In the end, APTs harness the full spectrum of logical, physical, and social attack vectors. They exhibit no single activity pattern, making them difficult to detect.

Phases of APT

Different phases of APT can be summarized as below

1. Reconnaissance: Attacker leverages information from a variety of factors to understand their target
2. Incursion: Attackers break into network by using social engineering to deliver targeted malware to vulnerable systems and people
3. Discovery: Once in, the attackers stay "low and slow" to avoid detection. They then map the organization's defenses from the inside and create a battle plan and deploy multiple parallel kill chains to ensure success
4. Capture: Attackers access unprotected systems and capture information over an extended period. They may also install malware to secretly acquire data or disrupt operations
5. Exfiltration: Captured information is sent back to attack team's home base for analysis and further exploitation fraud- or worse.

How to get protected?

To guard against APT attacks, organizations must develop an in-depth strategy across logical, physical, and social boundaries. SIEM tool can be used to analyze events and create alert/correlation rules for APT Detection and then design strategy to combat such attack. Some of the rules that can be built to detect APTs are as follows

1. Abnormal Internal Connections
2. Abnormal Outbound Connections
3. Blacklist Location Authentication
4. Concurrent VPN from Multiple Countries
5. Concurrent VPN from Multiple Regions
6. Critical Event After Attack
7. Failed Account Probe
8. Failed Account Probe on Multiple Hosts
9. Port Scan then Attack
10. Account Creation
11. Attack then External Connection
12. Brute Force Auth
13. Log Cleared
14. Data Exfiltration
15. DDoS Attack
16. Identifying Cross-Site Scripting (XSS) Attacks
17. Identifying Excessive HTTP Errors
18. Identifying SQL Injection Attacks
19. Identifying Traffic from Low Reputation Hosts
20. Lateral Movement then Account Creation
21. Lateral Movement with Account Sweep
22. Numerous Internal Failed Auths
23. Outbound Traffic Rate Increase
24. System Time Change
25. Threat Intelligence Connection
26. High Risk Vulnerable Sources (Correlate the data from vulnerability management)